Rev 581 | Go to most recent revision | Blame | Last modification | View Log | RSS feed
Where is SERVER_SECRET being used?----------------------------------System:- Auth content StoreOIDplusAuthContentStoreJWT.class:Key to sign JWT tokens (used for Automated AJAX requests and logins with "Remember me") using PBKDF2+HMAC(ONLY if the server does not have a Public/Private key pair!)JWT = HS512(hash_pbkdf2('sha512', SERVER_SECRET+"/OIDplusAuthContentStoreJWT", '', 10000, 64/*256bit*/, false))- Session Handler:Encryption of session contents (regular logins)- Auth utils: Generation of auth keysmakeAuthKey(data) = sha3_512(SERVER_SECRET + "/AUTHKEY/" + data)used at plugin invite RA (ra/092):makeAuthKey("activate_ra;" + email + ";" + timestamp)= sha3_512(SERVER_SECRET + "/AUTHKEY/activate_ra;" + email + ";" + timestamp)used at plugin change RA email (ra/102):makeAuthKey("activate_new_ra_email;" + old_email + ";" + new_email + ";" + timestamp)= sha3_512(SERVER_SECRET + "/AUTHKEY/activate_new_ra_email;" + old_email + ";" + new_email + ";" + timestamp)used at plugin forgot RA password (public/091):makeAuthKey("reset_password;" + email + ";" + timestamp)= sha3_512(SERVER_SECRET + "/AUTHKEY/reset_password;" + email + ";" + timestamp)used at plugin ViaThinkSoft FreeOID activation (public/200):makeAuthKey("com.viathinksoft.freeoid.activate_freeoid;" + email + ";" + timestamp)= sha3_512(SERVER_SECRET + "/AUTHKEY/com.viathinksoft.freeoid.activate_freeoid;" + email + ";" + timestamp)Plugin WHOIS (public/100):- Authentication token for hidden OIDs = smallhash(SERVER_SECRET + "/WHOIS/" + id);Plugin VNag version check (admin/901):- Webreader password = sha3_512(SERVER_SECRET + "/VNAG")